From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 7 Aug 2012 13:46:18 -0400
Subject: [refpolicy] [PATCH]: force a label on the fc_sort executable
In-Reply-To: <201208050106.q7516Vog005937@vivaldi08.register.it>
References: <201208050106.q7516Vog005937@vivaldi08.register.it>
Message-ID: <5021546A.1080603@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/04/12 21:06, Guido Trentalancia wrote:
> Force a bin_t label on the fc_sort executable after creating it, to avoid possible
> execution denials under certain conditions.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>  Makefile |    1 +
>  1 file changed, 1 insertion(+)
> 
> --- refpolicy-04062012/Makefile	2012-05-29 21:13:09.413703575 +0200
> +++ refpolicy-04062012-chcon-fc_sort/Makefile	2012-08-04 21:35:57.396092798 +0200
> @@ -400,6 +400,7 @@ $(mod_conf) $(booleans): $(polxml)
>  #
>  $(fcsort) : $(support)/fc_sort.c
>  	$(verbose) $(CC) $(CFLAGS) $^ -o $@
> +	chcon system_u:object_r:bin_t:s0 $(tmpdir)/fc_sort
>  
>  ########################################
>  #

I'm not sure this actually is a good choice because this may be done on a different system than where the policy will be deployed.  It may have a different policy running or even SELinux disabled.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com